Exponential catastrophic backtracking (ReDoS) in marked
CVE-2022-21681

7.5HIGH

Key Information:

Vendor: Markedjs
Status: Marked
Vendor: CVE Published:; 14 January 2022

What is CVE-2022-21681?

Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

Affected Version(s)

marked < 4.0.10

References

https://github.com/markedjs/marked/security/advisories/GH...

https://github.com/markedjs/marked/commit/8f806573a3f6c6b...

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 14, 2022
Vulnerability Reserved
Nov 16, 2021

CVE-2022-21681 Data

JSON

Markedjs

What is CVE-2022-21681?

Affected Version(s)

References

CVSS V3.1

Timeline